Changes reverted after trying to write any data

MongoDB Atlas App Services & Realm
1

Received: ERROR “Client attempted a write that is outside of permissions or query filters; it has been reverted” (error_code=231, try_again=true, recovery_disabled=false)

I’m trying to debug this error. I have this default role on all my collections:

Screen Shot 2022-08-08 at 8.08.35 AM
Screen Shot 2022-08-08 at 8.08.35 AM1964×1572 184 KB
.

When I try to add a role to an individual collection I see the error “default roles can’t be used for table “Pets”: invalid permissions for “read”: invalid match expression: key “owner_id” is a queryable field, but doesn’t exist on this table’s schema”

Indeed, owner_id is not in my schema. I see that it’s set as a queryable field. Do I need to add it to my schema, is that the source of my trouble? Thank you.

2

Hi, unfortunately, the picture you attached is not relevant as Sync uses its own permissions on the Sync Page (we are working on integrating them into the rules page). Can you send either (a) a link to your app (the URL in the App Services UI) or (b) Your permissions defined in the Sync page?

The “Error” you are getting is actually a feature called “Compensating Writes”, which means that if a client writes something that it is not allowed to see due to permissions, then it will not just reject the write and break sync, but rather “fix” the client by undoing that write (since it is not allowed to make the write)

1 Like
3

Thanks for the quick reply. I changed the permissions under sync to this and I’m able to write date:

{
  "defaultRoles": [
    {
      "name": "read-write", 
      "applyWhen": {},
      "read": true,
      "write": true
    }
  ]  
}

I’m still confused why the prior rule didn’t allow my write:

{
  "defaultRoles": [
    {
      "name": "owner-read-write", 
      "applyWhen": {},
      "read": {"owner_id": "%%user.id"},
      "write": {"owner_id": "%%user.id"}
    }
  ]  
}

Would I need to set owner_id prior to writing the objects to realm?

4

Hi, so it depends what your write was trying to do. Those permissions mean that on every write, we take the PreImage of the document and the PostImage and both of them have to have "owner_id"== "%%user.id" if they are not empty.

The last bit is key so that you can “insert” a document with {"owner_id": "%%user.id"} but you canot update an existing document with { owner_id: "abc" } to be {"owner_id": "%%user.id"} because that would let it update a document it is not allowed to see or write to.

1 Like
5

HI, i got a same error

is the owner_id a Field on the Schema?
is it {“(Collection).(Field) “: “%%user.id”} or only {”(Field)”: “%%user.id”} ?